1. Field of the Invention
The present invention relates to a ring authentication method for a concurrency environment, the method capable of providing unforgeability, sender anonymity, and deniability in the concurrency environment.
The present invention was supported by the IT R&D program of MIC/IITA. [Project code: 2005-Y-001-02, Project title: Developments of next generation security technology]
2. Description of the Related Art
Message authentication indicates a technology in which, when a sender sends a message to a receiver, the receiver is capable of confirming an identification (ID) of the sender, which should provide unforgeability, sender anonymity, and deniability.
In this case, the unforgeability indicates that an attacker is incapable of disguising as another user, the sender anonymity indicates that receiver is only known that “a sender of a message is one of n number of users.” but a actual sender is unknown, and the deniability indicates that the attacker is incapable of certifying that “a sender and a receiver authenticate a message.” to another user by using an obtained authentication protocol message.
As a message authentication method, a ring authentication method (CRYPTO 2002, refer to p 481-498) is provided by Moni Naor. The ring authentication method uses that a person who knows a private key corresponding to a public key is capable of correctly extracting a plaintext from a ciphertext. The ring authentication method is formed in such a way that only a person who knows a private key corresponding to at least on public key of several public keys is capable of knowing a correct plaintext.
However, in real life, several sessions may be concurrently performed. The ring authentication method is incapable of providing the deniability when the receiver performs protocols with several senders at the same time.
To provide the deniability in a concurrency environment, a ring authentication method using a ring signature and a chameleon hash function is proposed by Susilio and Mu (ICISC 2003, refer to p386-401). The method proposed by Susilio and Mu uses the ring signature and allows a receiver to know that one user belonging to a certain user set signs. According to the method, a message sender may deny “a message m is authenticated” with respect to a certain message. However, a fact that “a message is authenticated” is incapable of being denied. Accordingly, perfect deniability is not provided.